VentomateVentomate← Back to home
Legal

Privacy Policy

Last updated: June 28, 2026  ·  Effective immediately

Ventomate Technologies Private Limited ("Ventomate", "we", "our", or "us") provides a cloud-based Point-of-Sale (POS), inventory management, and retail operations platform. This Privacy Policy explains how we collect, use, store, and protect information when you use our software, website, and services. By using Ventomate you agree to the practices described here.

1. Information We Collect

1.1 Business & Account Information

  • Business name, owner name, GSTIN, PAN, and contact details
  • Email address and mobile number used to create your account
  • Billing address and subscription plan details
  • Bank account or UPI details for payout reconciliation (where applicable)

1.2 Customer Data (Your End-Customers)

  • Name, phone number, and email address entered at checkout
  • Purchase history, loyalty points, and transaction receipts
  • Delivery address where home delivery is enabled
  • Customer segment tags and notes added by your staff

1.3 Transaction Data

  • Invoice numbers, line items, quantities, prices, and discount codes
  • Payment mode (cash, card, UPI, BNPL, split payment)
  • Returns, refunds, and void transaction records
  • Daily and shift-end cash reconciliation data
  • GST tax collected at each transaction

1.4 Inventory & Catalog Data

  • Product names, SKUs, barcodes, categories, and pricing
  • Supplier names and purchase order details
  • Stock levels, batch numbers, and expiry dates
  • Invoice images you upload for Gemini AI processing

1.5 Device & Usage Data

  • IP address, browser type, and operating system
  • Device identifiers for POS terminals and mobile devices
  • Session logs, feature usage events, and error reports
  • Approximate location (city/state) derived from IP for fraud prevention

2. Payment & Transaction Data

Ventomate does not store full payment card numbers (PAN), CVV codes, or card magnetic-stripe data on our servers. Card payments are processed through PCI DSS-certified payment gateway partners. We only receive and store:

  • A tokenized reference ID returned by the payment gateway
  • Last four digits of the card for display purposes
  • Transaction amount, status, and timestamp
  • UPI Transaction Reference Numbers (UTR)

For cash transactions, we record the tendered and change amounts to support end-of-day cash drawer reconciliation. All financial records are encrypted at rest using AES-256.

3. How We Use Your Information

PurposeLegal Basis
Operate and deliver the POS, inventory, and reporting featuresContract performance
Generate GST invoices and tax reportsLegal obligation
Process subscription billing and send payment receiptsContract performance
Detect fraud, abuse, and security incidentsLegitimate interest
Send transactional alerts (low stock, failed login)Contract performance
Improve product features using aggregated usage analyticsLegitimate interest
Provide customer support and respond to inquiriesContract performance
Send product updates and newsletters (with opt-out)Consent
Comply with law enforcement or regulatory requestsLegal obligation

4. Data Sharing & Disclosure

We do not sell your data. We share information only in the following circumstances:

4.1 Service Providers & Sub-processors

  • Cloud infrastructure — Amazon Web Services (AWS) / Google Cloud Platform for hosting and storage
  • Payment gateways — Razorpay, PhonePe Business, or other RBI-authorised payment aggregators
  • AI processing — Google Gemini API for invoice image analysis (images are not retained by Google for training without consent)
  • Communication — SMS/email providers for OTP and transactional notifications
  • Analytics — Privacy-safe analytics tools for product telemetry

4.2 Legal & Regulatory Disclosure

We may disclose information to government authorities, courts, or regulators when required by applicable Indian law (IT Act, DPDP Act 2023, GST law, or court order). We will notify you where legally permissible.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. You will be notified with at least 30 days' notice before any transfer occurs.

5. Data Retention

Data TypeRetention Period
GST invoices & financial transactions8 years (GST Act requirement)
Active account & subscription dataDuration of subscription + 6 months
Customer purchase historyDuration of subscription + 2 years
Staff activity logs2 years
Invoice images (AI processing)90 days after import, then deleted
Support tickets & communications3 years
Marketing opt-out recordsIndefinitely (to honour opt-out)
Deleted account dataPurged within 30 days of account deletion

6. Security Measures

We implement industry-standard safeguards appropriate to a POS platform handling financial and personal data:

  • All data in transit encrypted with TLS 1.2 or higher
  • All data at rest encrypted with AES-256
  • Role-based access control (RBAC) for your staff accounts
  • Multi-factor authentication (MFA) available for admin accounts
  • Automated security vulnerability scanning and dependency updates
  • Regular third-party penetration tests conducted annually
  • 24/7 infrastructure monitoring with intrusion detection alerts
  • Offline POS data stored encrypted locally and synced securely on reconnect

Breach notification: In the event of a personal data breach that poses a risk to your rights, we will notify affected account holders within 72 hours as required by applicable law.

7. PCI DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS) applies to all systems that store, process, or transmit cardholder data. Ventomate's approach:

  • Card data is never entered into or stored on Ventomate servers. All card entry happens on hardware terminals or hosted payment pages operated by our PCI-certified gateway partners.
  • We integrate only with RBI-authorised payment aggregators who maintain their own PCI DSS Level 1 certification.
  • Our internal systems are scoped out of PCI DSS by design — we receive only tokenised references and masked card details.
  • Merchants are advised to use EMV chip-and-PIN terminals provided by their acquiring bank and to never write card numbers on paper or enter them into the POS software manually.

8. GST & Financial Records

As a GST-compliant POS platform operating in India, Ventomate generates and stores tax invoices on your behalf. This means:

  • Invoice data including GSTIN, HSN/SAC codes, tax rates, and transaction amounts are retained for a minimum of 8 years as required under the CGST Act, 2017.
  • You are the data principal for your business records. Ventomate acts as a data processor on your behalf.
  • E-invoice and GSTR reports generated through Ventomate remain your property and can be exported at any time.
  • We do not share your financial data with the GST Network (GSTN) directly — that remains the merchant's responsibility through their CA or tax filing portal.

9. Employee & Staff Data

When you add staff members to your Ventomate account, we collect and process their data on your behalf:

  • Name, mobile number, and email address for account access
  • Assigned role and permissions (cashier, manager, admin)
  • Login timestamps, session durations, and device identifiers
  • Activity logs: sales processed, voids, discounts applied, and cash drawer openings
  • Shift start/end times where attendance tracking is enabled

As the business owner, you are responsible for:

  • Informing your staff that their activity is logged within the platform
  • Obtaining any consent required under applicable labour or privacy laws
  • Removing staff accounts promptly when employment ends

10. Third-Party Integrations

10.1 WhatsApp Business

Where the WhatsApp invoice sharing feature is enabled, customer phone numbers and invoice PDFs are transmitted to Meta's WhatsApp Business API. This is subject to Meta's own privacy policy. Customers can opt out of WhatsApp receipts at any time by notifying your staff.

10.2 Google Gemini AI

Invoice images you upload are sent to the Google Gemini API for text and data extraction. Google's API data handling policies apply. Images are processed transiently and are not used to train Google's models without explicit consent. Extracted data is stored on Ventomate servers.

10.3 Tally / Accounting Software

If you connect Ventomate to Tally or any accounting platform, we export the data you select (sales ledgers, purchase records) in the format required. Your use of those platforms is governed by their respective privacy policies.

11. Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable regulations, you have the following rights:

  • Access — Request a copy of the personal data we hold about you or your customers.
  • Correction — Ask us to correct inaccurate or incomplete personal data.
  • Erasure — Request deletion of personal data subject to legal retention obligations.
  • Portability — Export your business data (invoices, catalog, customer records) at any time from the dashboard in CSV or PDF format.
  • Withdrawal of consent — Opt out of marketing communications at any time via the unsubscribe link or by emailing us.
  • Grievance redressal — Lodge a complaint with our Grievance Officer (see Section 15) or with the Data Protection Board of India.

We will respond to verified requests within 30 days. To submit a request, email support@ventomate.com with subject line "Data Rights Request" and your registered account email.

12. Cookies & Analytics

Our marketing website uses cookies and similar tracking technologies:

CategoryPurposeConsent required
Strictly necessaryAuthentication session, CSRF protectionNo
FunctionalRemember language and display preferencesNo
AnalyticsUnderstand page usage, funnel drop-off (Google Analytics)Yes
MarketingGoogle Ads conversion tracking, retargeting pixelsYes

You can manage cookie preferences through your browser settings or our cookie consent banner. Declining analytics or marketing cookies will not affect access to the POS application.

13. Children's Privacy

Ventomate is a business-to-business platform intended solely for use by adults operating retail businesses. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor's data has been submitted to our platform, please contact us immediately at support@ventomate.com.

14. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will notify you by email to your registered address and display a prominent notice in the Ventomate dashboard at least 14 days before the changes take effect. Your continued use of the platform after the effective date constitutes acceptance of the revised policy. We encourage you to review this page regularly.

15. Contact Us

For privacy-related questions, data requests, or complaints, contact our Grievance Officer:

Grievance Officer

Ventomate Technologies Private Limited

Email: support@ventomate.com

We aim to acknowledge all requests within 48 hours and resolve them within 30 days.